wicket-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gwyn Evans" <gwyn.ev...@gmail.com>
Subject Re: security article on TSS (partly covering wicket)
Date Thu, 31 Jul 2008 19:32:54 GMT
I could be wrong, but it looked to me as if they were saying that if
you used hidden fields, then there was a potential insecurity as they
could be changed by the user.  I guess you trap that by automatically
generating an additional hidden field containing a hash of the other
hidden fields along with a randomly initialised salt value, then check
they when they get received...

/Gwyn

On Thu, Jul 31, 2008 at 7:09 PM, Korbinian Bachl - privat
<korbinian.bachl@whiskyworld.de> wrote:
> Hi,
>
>
> its *not* my opinion - I just read the article and thought you might want to
> know about it. I mean, beside that, it seems as wicket is very secure in
> comparision to the other frameworks mentioned there - Honestly, I dont know
> why this harsh reactions (other mails) came.
>
> Best,
>
> Korbinian
>
> Martijn Dashorst schrieb:
>>
>> How is HiddenField insecure in your opinion?
>>
>> Martijn
>>
>> On Wed, Jul 30, 2008 at 10:59 PM, Korbinian Bachl - privat
>> <korbinian.bachl@whiskyworld.de> wrote:
>>>
>>> HI,
>>>
>>> under
>>>
>>> http://www.theserverside.com/tt/articles/article.tss?l=AreJavaWebApplicationsSecure
>>> is an article covering java WebApps & security; On part 2 it also looks
>>> at
>>> webframeworks for java including wicket 1.3.x - it mentions
>>>
>>> "Wicket has only one component (HiddenField) vulnerable to integrity
>>> attacks."
>>>
>>> maybe this gap could be closed? Also the rest seems aso quite
>>> interesting.
>>>
>>> Best,
>>>
>>> Korbinian
>>>
>>>
>>
>>
>>
>

Mime
View raw message